I'm a contract Security Architect based in Scotland, UK. I derive strategy for large organisations as well as provide design mentoring and governance. My company also provides forensic analysis for the legal community in Scotland.

Is there a true alternative to using CAPTCHA images?if the arithmetic was in plain text then a reader would indeed help. However, if an arithmetical challenge would be a lot easier to interpret. It really depends what the risk appetite is and what the end goal of the CAPTCHA is.

What are HTTP GET/POST flood attacks?it's rare but I once found the other HTTP request types switched on for a custom J2EE web application. It was a mistake in the way that one of the designers had implemented HttpServlet and had accidently switched it all on.

How do small businesses handle web app security?FWIW, I'm in the same geographic area and industry as Rory and totally agree. Some large organisations (even in finance) can make a complete mess of IT Security, i.e. "too big and complex" to ensure compliance.